Fine-Grained Password Policies in Windows Server 2012 R2

The fine-grained password policies feature was introduced in Windows Server 2008. It allowed organizations to define more than one password and account lockout policy in a single domain, and apply those policies to different sets of users. Prior to Windows Server 2012, you had to use PowerShell, ADSI Edit or the Ldifde command-line utility to create the Password Settings Objects that are used to define fine-grained password policies. But in Server 2012 and 2012R2, you can use the GUI-based Active Directory Administrative Center to create PSOs and view resultant password settings for particular users in your environment.


Limitations of fine-grained password policies

  • Can only be applied to users and global security groups, which means they can not be applied to OUs.
  • Domain functional level must be Windows Server 2008
  • By default only Domain Admins can set fine-grained password policies on users and groups, but this ability can be delegated to other users


1. Create and apply a PSO


Fine-grained password policies are defined by creating Password Settings Objects, and then applying those to users and groups. In Server 2012 and 2012 R2 you can use Active Directory Administrative Center and Windows PowerShell to create and apply PSOs.

It’s important to keep in mind that a user can only have one effective password and account lockout policy. So if more than one PSO is applied to a user, either directly or through group membership, the precedence value of that PSO will determine whether it will be the winning PSO or not. The PSO with the lowest precedence will have higher rank, so the PSO with the lowest precedence will be the effective PSO for a user. An exception to this rule is that PSOs directly applied to users, always prevail over PSOs applied to groups (which are again obviously applied to users through group membership).

If no PSOs are applied to a user, the Default Domain Policy will be applied to that user.


1.1 Create and apply a PSO using ADAC


1.1.1 Start Active Directory Administrative Center
1.1.2 Select Domain name → System → Password Settings Container


1.1.3 Right-click inside the Password Settings Container → New → Password Settings


1.1.4 Fill in the appropriate information on the Create Password Settings properties page

Click Add on the Directly Applies To section, and select the users/groups you want to apply the PSO to

Finally, click OK to create the PSO



1.2 Create and apply a PSO using PowerShell


1.2.1 Use the New-ADFineGrainedPasswordPolicy cmdlet to create the PSO. The following example creates a PSO named PSO2, with exactly the same settings as we defined in the PSO we created with ADAC. The parameters for the cmdlet are pretty much self-explanatory.

New-ADFineGrainedPasswordPolicy -Name “PSO2” -Precedence 5 -ComplexityEnabled $false -Description “PSO Number 2” -DisplayName “PSO2” -LockoutDuration “0.00:30:00” -LockoutObservationWindow “0.00:30:00” –LockoutThreshold 5 -MaxPasswordAge “42.00:00:00” -MinPasswordAge “1.00:00:00” -MinPasswordLength 7 –PasswordHistoryCount 24 -ReversibleEncryptionEnabled $false -protectedfromaccidentaldeletion $true


1.2.2 Use the Add-ADFineGrainedPasswordPolicySubject cmdlet to apply PSOs to users and groups. The following example will apply PSO2 to the Data and Managers groups


Add-ADFineGrainedPasswordPolicySubject PSO2 -Subjects Data,Managers


1.2.3 Feel free to verify that the settings and assignment of the PSO has been applied correctly, in Active Directory Administrative Center


2. View the Resultant PSO for a user


2.1 Viewing the resultant PSO for a user in ADAC


2.1.1 Locate the user in ADAC
2.1.2 Right-click user → View resultant password settings

2.1.3 PSO applied to the user will be displayed


2.2 Viweing the resultant PSO for a user in PowerShell


2.2.1 Use the Get-ADUserResultantPasswordPolicy cmdlet. The following example gets the resultant PSO for the same user (rjones)

Get-ADUserResultantPasswordPolicy rjones